- Arkansas-based practice management software provider MedEvolve has finally copped to a healthcare data breach at one of its customers, Premier Immediate Medical Care, which may have impacted more than 200,000 current and former patients of Premier.
In a July 10 release, MedEvolve said that it discovered “on or about” May 11 that a FTP server containing an unsecured file with data on Premier patients was accessible via the internet.
MedEvolve said that its investigation determined that the unsecured file containing the data was accessible on the internet from March 29 to May 4 and that an unauthorized third party accessed the file on March 29.
The file that was accessible contained patients’ names, billing addresses, telephone numbers, primary health insurers, and the Social Security numbers for some of the individuals, according to the release.
DataBreaches.net reported on May 16 that an independent researcher had contacted it about a data breach on MedEvolve’s FTP server that may have exposed PHI on more 200,000 patients. The researcher said that patient data involving two clients, Premier and Texas-based dermatologist Dr. Beverly Held, was viewable on the internet.
Premier had a SQL database with 205,000 patient records that was not secured. Around 11,000 of those records contained Social Security numbers. Dr. Held had three unsecured .dat files with 12,000 Social Security numbers exposed.
DataBreaches.net said it contacted MedEvolve at the time about the exposed data, and the files were then removed from public access. If true, this suggests that MedEvolve was not aware of the data breach prior to being contacted by DataBreaches.net.
In its release, MedEvolve did not disclose how many patients were affected by the breach and did not mention the exposure of Dr. Held’s patients. Also, OCR has not posted the breach on its Breach Portal as of July 12.
PHI of 4,700 Exposed by VCU Health System Employee
Virginia-based VCU Health System said an employee “inappropriately accessed” health information for about 4,700 people or their children, reported NBC 12 in Richmond on July 6.
A VCU Health System investigation found that an employee accessed the information between January 3, 2003, and May 10, 2018.
The information included patients’ names, home addresses, dates of birth, medical record numbers, healthcare providers, visit dates, health insurance information, medical information, and in some cases, Social Security numbers.
The employee was subsequently fired for the breach.
VCU Health System is offering free credit monitoring and identity theft protection services for one year to the victims whose Social Security number was accessed.
VCU Health System said that it has “no indication that private health information has been or will be used for any malicious purposes.”
Arkansas Children’s Employee Misused 4,500 Patient Records
Arkansas Children's Hospital said that a former employee is under investigation for misuse of information on 4,500 patients, Fox 16 in Little Rock reported on July 11.
The hospital said it learned from law enforcement on May 9 that a former employee was under investigation for misuse of information for personal gain during employment from November 7, 2016, to February 6, 2018.
“We were deeply troubled to learn about the alleged actions of this individual, which do not reflect the hospital’s values in any way,” said Vice President of Compliance for Arkansas Children’s Hospital Erin Parker in a statement.
“As the champions for children in our community, we hold ourselves to the highest standards of behavior, and that includes treating patients, families, and each other with dignity and respect at all times.”
Working with law enforcement, ACH completed an audit of the accounts that had been viewed by the individual while employed at the hospital. The hospital informed potential victims as soon as law enforcement authorized the disclosure, the hospital said.
ACH is providing one year of free credit monitoring and identity protection services to potential victims.